Configuring a PositiveSSL certificate with Stud

This article will help to configure a PositiveSSL certificate with a stud installation (Scalable TLS Unwrapping Daemon). The default setup requires us to enter the password to your private key at start. We will include a set of optional steps to remove the passphrase from our private key, which reduces the security of the installation, but is required if we want to setup stud to start automatically at server boot.

Pre-requisites

• Your PositiveSSL certificate bundle.

  Once PositiveSSL approves our certificate request, they send a certificate bundle, usually a ZIP file containing three files — your certificate, a class 1 intermediate certificate and a root certificate. Unpack the archive and it should look something like the following:

• The private keys we signed the request with.

• A working stud installation.

  Please see the stud repository and this earlier blog post for more on how to compile and install stud to working condition.

Preparing a PEM bundle for stud

Stud requires a single PEM file that contains the following things, in the same order:

1. Domain certificate
2. Intermediate certificates (in our case, the PositiveSSL CA)
3. Root CA
4. Private key

The following command creates it:

$ cat alexnj_com.crt PositiveSSLCA2.crt \ 
   AddTrustExternalCARoot.crt alexnj.com.key \ 
     > bundle.pem

Load stud with the PEM bundle

stud /opt/stud/certs-assembly/bundle.pem -u nobody  

Stud will ask for the PEM passphrase. Enter our private key password and if everything went well, stud will load up the certificate and start serving SSL requests.

Optionally, remove the passphrase from our key file

This is required only if we want to setup stud to start without a password entry, for example, automatic start at server boot. Run the following command. We will need to enter the key passphrase one last time.

openssl rsa -in alexnj.com.key -out alexnj.com.nopass.key  

The file alexnj.com.nopass.key will now contain a version of your private key that is not encrypted with your passphrase. If we create a PEM bundle with this file instead of the file alexnj.com.key, stud wouldn’t prompt for a password at load. To create the new bundle, once again:

cat alexnj_com.crt PositiveSSLCA2.crt \  
   AddTrustExternalCARoot.crt alexnj.com.nopass.key \ 
     > bundle.pem

That’s it. We have the PositiveSSL configured with stud and ready to respond to SSL requests. Fire up stud, hit the box with an https prefix and see it serving SSL pages signed with your brand new certificate.